OSPF authentication

OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.

Two types of authentication can be used:
1. clear text authentication – clear text passwords are used
2. MD5 authentication – MD5 authentication is used. This type of authentication is more secure because the password doesn’t go in clear-text over the network.

To configure clear text authentication, the following steps are required:

configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command

configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command

In the following example, we will configure OSPF clear-text authentication.

Both routers are running OSPF. On R1, we need to enter the following commands:

The same commands have to be entered on R2:

To verify that clear-text authentication is indeed turned on, we can use the show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:

Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:

First you need to configure the MD5 value on an interface by using the ip ospf message-digest-key 1 md5 VALUE interface command

Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command

Here is an example configuration on R1:

You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:

NOTE
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.